TenantAtlas/tests/Feature/Filament/TenantActionsAuthorizationTest.php

<?php

use App\Filament\Pages\ChooseTenant;
use App\Filament\Pages\TenantDashboard;
use App\Filament\Resources\TenantResource\Pages\ListTenants;
use App\Models\Tenant;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Gate;
use Livewire\Livewire;

uses(RefreshDatabase::class);

test('readonly users may switch current tenant via ChooseTenant', function () {
    [$user, $tenantA] = createUserWithTenant(role: 'readonly');

    $tenantB = Tenant::factory()->create([
        'status' => 'active',
        'is_current' => false,
    ]);

    $user->tenants()->syncWithoutDetaching([
        $tenantB->getKey() => ['role' => 'readonly'],
    ]);

    $tenantB->makeCurrent();

    expect($tenantA->fresh()->is_current)->toBeFalse();
    expect($tenantB->fresh()->is_current)->toBeTrue();

    Livewire::actingAs($user)
        ->test(ChooseTenant::class)
        ->call('selectTenant', $tenantA->getKey())
        ->assertRedirect(TenantDashboard::getUrl(tenant: $tenantA));
});

test('users cannot switch to a tenant they are not a member of', function () {
    [$user] = createUserWithTenant(role: 'readonly');

    $tenant = Tenant::factory()->create([
        'status' => 'active',
    ]);

    Livewire::actingAs($user)
        ->test(ChooseTenant::class)
        ->call('selectTenant', $tenant->getKey())
        ->assertStatus(404);
});

test('readonly users cannot deactivate tenants (archive)', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    Filament::setTenant($tenant, true);

    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('archive', $tenant)
        ->callTableAction('archive', $tenant);

    expect($tenant->fresh()->trashed())->toBeFalse();
});

test('readonly users cannot force delete tenants', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $tenant->delete();

    Filament::setTenant($tenant, true);

    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('forceDelete', $tenant)
        ->callTableAction('forceDelete', $tenant);

    expect(Tenant::withTrashed()->find($tenant->getKey()))->not->toBeNull();
});

test('readonly users cannot verify tenant configuration', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    Filament::setTenant($tenant, true);

    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('verify', $tenant)
        ->callTableAction('verify', $tenant);
});

test('readonly users cannot setup intune rbac', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    Filament::setTenant($tenant, true);

    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('setup_rbac', $tenant);
});

test('readonly users cannot edit tenants', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    Filament::setTenant($tenant, true);

    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('edit', $tenant);
});

test('readonly users cannot open admin consent', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    Filament::setTenant($tenant, true);

    expect(\App\Filament\Resources\TenantResource::adminConsentUrl($tenant))->not->toBeNull();
    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('admin_consent', $tenant);
});

test('readonly users cannot start tenant sync from tenant menu', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    Filament::setTenant($tenant, true);

    expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_SYNC, $tenant))->toBeFalse();

    Livewire::actingAs($user)
        ->test(ListTenants::class)
        ->assertTableActionDisabled('syncTenant', $tenant);
});